Moving IT from the Back Room to the Boardroom

On 10 Jul, 2015 By BankOnIT

Increasingly occurring cyber hacks make it clear that preventative measures against today’s cyber risks need to become a priority. Attacks such as those on Target, the IRS and even the United States Office of Personnel Management serve to illustrate the increasing severity of the cybersecurity problem.

Regulators are concerned that bank board members are not aware of the cybersecurity risks their institutions are engaging in and as a result are not able to appropriately manage such risks at the institutions they serve. During a recent banking association annual convention, an FDIC examiner made the statement, “We are taking IT out of the back room and moving it to the boardroom.” The statement sounds simple enough, but what does that mean? Information security is something that can no longer be delegated to someone in the back room. Risks are managed in the boardroom, and IT risks should be managed there as well.

Recently, as part of a multi-agency effort to increase bank board members’ focus on information security, the FFIEC released a Cybersecurity Assessment Tool. The Assessment is a repeatable, measurable process used to illustrate an institution’s risk and cybersecurity preparedness. The intent is for a bank board to use this tool to help them recognize the cyber risks they are taking on, determine what mitigating controls are in place and decide if the level of risk is appropriate or if additional mitigation controls should be implemented.

Board members should be aware that cybersecurity is not a once-and-done type of activity or any single component that can be installed. Instead, effective cybersecurity protection should be designed in layers. Similar to having multiple physical layers of protection for a bank’s physical assets (alarms, video cameras, vaults, time locks, dual controls, etc…) cybersecurity also must have multiple layers to be effective. Having properly trained employees, constant monitoring and management and appropriate controls are a few of the many layers needed for effective cybersecurity defenses.

Board members have a fiduciary responsibility to protect and maintain the well-being of the banks they serve. A bank’s customer information is not the only thing a bank stands to lose if board members don’t know the cybersecurity risks they are taking on. They also stand to lose their customers’ trust.